The Fluid community recently discovered the vulnerability CVE-2023-51699. After attackers acquire permissions to create and modify Datasets and the JuiceFSRuntime, they can modify CustomResourceDefinitions (CRDs) to launch privilege escalation on the node where the JuiceFSRuntime is deployed. The CVE-2023-51699 vulnerability is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 4.0.
Affected versions
Clusters that use ack-fluid 1.0.6 or earlier and use the JuicefsRuntime at the same time are affected.
Impacts
If attackers acquire permissions to create and modify Datasets and the JuiceFSRuntime, they may gain access to a Kubernetes worker node without authorization.
Solution
Update the ack-fluid component of your cluster to v1.0.7 or later. For more information about how to update ack-fluid, see [Component Updates] Update ack-fluid.
How to prevent
Avoid accessing ACK clusters over the Internet. For more information about how to control access to the API server in a fine-trained manner, see Configure network ACLs for the API server of an ACK cluster.
If your cluster uses Resource Access Management (RAM) and Role-Based Access Control (RBAC) to enforce permission control, make sure that only trusted users can create custom Fluid resources. For more information, see Grant RBAC permissions to RAM users or RAM roles.
Use the API server auditing feature of Container Service for Kubernetes (ACK) to monitor abnormal Dataset creation operations.